latest intelligence
INDUSTRIAL CYBER RISK MANAGEMENT
A GUIDELINE FOR OPERATIONAL TECHNOLOGY
INDUSTRIAL CYBER
RISK MANAGEMENT
A GUIDELINE FOR OPERATIONAL TECHNOLOGY
AUTHOR
Jason D . Christopher
PRINCIPAL CYBER RISK ADVISOR DRAGOS , INC .
MARCH , 2021
PRESENTED BY
eExecutive Summary
Critical infrastructure owners and operators have managed industrial risk for hundreds of years . This risk is usually measured in impact to health , safety , and reliability . As these industrial systems become increasingly digitized , so does the risk . What were once seen as isolated , manual processes have become reliant on communication networks and digital devices . As a result , a new category of industrial risk was created : industrial cyber risk .
As with other areas of industrial risk , cyber risk requires specific processes tailored to operations and reliability . Unfortunately , due to the variety of stakeholders involved , ownership of cyber risk is rarely defined in most organizations , which causes increased confusion and lack of action .
This guidance document is based on a collection of standards , best practices , and applied knowledge from industrial system owners and operators in critical infrastructure . This industrial cyber risk management guideline is designed for scalability and can be adapted to any operational environment – from large multinational corporations to small municipal utilities . The methodology includes concepts , artifacts , and processes that can be added to any existing risk management program – regardless of overall maturity or resources .
CORPORATE GOVERNANCE
Unlike traditional information-centric cyber risk programs , the Dragos risk management process leverages operational technology concepts and builds on safety and reliability artifacts , like Process Hazard Analysis ( PHA ) and engineering – controls that may be leveraged in treating industrial cyber risk . Industrial organizations already have readily available information regarding failure modes , safety implementation levels , and possible physical impacts due to equipment damage – all of which should be leveraged in a cyber risk program . u
15